Transcription

2 About the Author Abhik Chaudhuri Abhik Chaudhuri is a Domain Consultant with the Information Technology Infrastructure Services (ITIS) Global Technology Practice at Tata Consultancy Services (TCS). A specialist in cyber security and policy, he is focused on developing secure IoT systems for smart cities. Chaudhuri has more than 13 years of IT experience, and is a Chevening TCS Fellow in Cyber Security and Policy.

3 Abstract Rapid growth in global population and evolving technological, macro-economic, and environmental landscapes have fueled widespread interest in smart cities, which are, essentially, dynamic ecosystems characterized by highly advanced, intuitive, and interdependent cyber systems. As emerging digital technologies and the Internet of Things (IoT) pave the way for these smart habitats, effective risk management becomes more crucial than ever. Here is where a smart city council can play a vital role. By identifying vulnerable systems, assessing the type and magnitude of probable risks, and instituting remedial measures, these bodies can thwart cyber-attacks and create risk-resilient smart services. This article discusses the smart city concept, and how smart city councils can effectively address the information security needs of interdependent systems, to provide risk-free smart services to its citizens.

5 The Rise of Smart Cities Approximately 70% of the world's population is expected to live in cities by To meet the growing needs of this population, city councils the world over are in an expansion mode. The concept of 'smart cities' lends promise in this scenario as these cities are expected to provide superior living experience thanks to a host of cyber-enabled services. As in the case of all IT-enabled services, smart city services too should be risk-free and secure for their citizens to use. In connecting devices and users, cyber systems should ensure the highest level of confidentiality and integrity, while allowing unhindered availability. It is therefore important to proactively manage the security risks of interdependent systems of the smart city digital infrastructure. Two key features of smart cities are citizen-centricity and digitally-enabled infrastructure. Aside of having smart infrastructure, a smart city has advanced systems to manage energy, transport, traffic, water, healthcare, and education. Essentially, it is a seamless union of technology, government, and society to enable smart living, which is characterized by a booming economy, effective governance, and convenient public services. ITU-T's Focus Group on Smart Sustainable Cities (FG-SSC) defines a smart sustainable city as an innovative city that uses information and communication technologies (ICTs) and other means to improve quality of life, efficiency of urban operation and services, and competitiveness, while ensuring that it meets the needs of present and future generations with respect to economic, social, and environmental aspects. ¹ 5 Interdependent Systems: The Backbone of Smart Cities Interdependent systems are the foundation stone of smart cities, as they provide the critical infrastructure to handle major public systems and citizen services. These include water and energy generation and transmission setups, transportation frameworks, waste disposal mechanisms, street and home lighting systems, connected healthcare, surveillance, and more. Interdependent systems also enable dynamic and synergistic data gathering and analytics, which drives continuous improvements across systems. In effect, a smart city is a 'system of systems' that follows a scale-free topology to allow future expansion, but without affecting the attributes of interdependency and interconnectedness. Opportunities and risks The Internet of Things (IoT) promotes an ecosystem of smart applications and services by interconnecting everyday objects and applications, thus enhancing peoples' lives. IT-enabled interdependent systems present several opportunities to improve a citizen s lifestyle. They can help city councils take necessary actions based on real-time analysis of the data collected from various interdependent systems. For example, the city council can analyze health data of its citizens to identify adverse health scenarios such as virus attacks, at an early stage, and take necessary actions to prevent widespread outbreaks. Data integration in smart cities can also be utilized to map energy efficiency of buildings, prevent crime, and effectively manage natural disasters. In addition, it can be leveraged to monitor the city's development in areas such as housing, education, transport, medical services, and employment. [1] ITU-T FG-SSC, Focus Group on Smart Sustainable Cities, June 2014, accessed November 2015

6 However, these interdependent systems also pose operational challenges and security risks. If one smart service information system fails to provide relevant information to other connected smart services, it can lead to chaotic situations, which eventually may result in a complete breakdown. For example, the failure of a smart traffic management database server can cause havoc with the smart transport management system, thus inconveniencing citizens and disrupting governance. Another example could be of a smart healthcare service, where a breach in the network or in the health monitoring device can put the patient's life at risk. Why Risk Mitigation is a Top Priority for Smart Cities Due to the large number of connected devices that make up a smart city's digital infrastructure, enhanced security management for gateway devices, such as industrial control systems (ICS) and IT systems (ITS), is critical to prevent data breach or leakage. Leakage of sensitive data can lead to a lock-down of critical services. A smart city framework deals with huge volumes of data that is generated as a result of communication between various interdependent subsystems and the interactions between devices and citizens. Protection of such private and sensitive information, especially citizen data, is of utmost importance. Further, any incident of data breach or data loss can damage citizens' perception of security in a smart city. Other information security concerns include interception of wireless data in transit between senders and receivers, leakage of confidential information, and viruses in devices such as sensors. Cloud-based information services and data storage in smart cities can also be compromised through hacking and other subversive activities. The Role of Smart City Councils Risk mitigation in smart cities requires a detailed understanding of several factors. These include design and architecture of smart services, IT infrastructure support capabilities, and the knowledge of probable cyber threats. A city council should operate like a modern-day enterprise with specific goals and objectives that include planning for defending against cyber-attacks and responding to emergencies. Ensuring security of network and sensors The smart city council should secure connected systems and sensors from any physical attack or infiltration. Identity management and device authentication mechanisms should be deployed at every interface of a smart system. Digital forensic capabilities, which help trace cyber breaches and gather evidence of malicious activities for legal action, should be integrated with the overall cyber architecture, right from the design phase. Gathering and analyzing real-time data with supervisory control and data acquisition (SCADA) will help predict security failures, and thus prevent a complete lock-down of critical services. Building resilient systems As a smart city grows, the interconnections of systems and interdependencies of smart services increase manifold. This makes them more vulnerable to cyber-attacks. The smart city council should therefore aim to design riskresilient digital architecture. The architecture should possess the adaptive capability to arrest anomalies in the nascent stage, and lock down a subsystem without disturbing other live components, ensuring uninterrupted service delivery. 6

7 City councils should build resilient interdependent systems to handle cyber emergencies and restore impacted services quickly. An effective cyber resilience strategy also helps protect the various connected devices and assets in case of any eventuality. Business continuity planning (BCP) is an effective risk management initiative that can help the smart city council ensure the security and availability of smart services. Periodic BCP drills should be conducted, audited, and documented for ready reference during criticalities. This will enable smart cities to take a recovery oriented approach toward risk management. Adopting international standards The security standards and risk mitigation strategies currently being used to secure IT systems may not be adequate to safeguard the interdependent City council should establish systems in smart cities. ISO 22301:2012, the International Standard for proper communication Societal Security Business Continuity Management Systems² should be channels to respond to cyber adopted to prevent the disruption of citizen services. Proper communication threats and other management is critical for smart cities to respond to cyber threats and other emergencies exigencies. Communication channels with pre-identified points of contact should be defined, documented, and regularly updated. These documents should be made available to all stakeholders for easy reference if and when the need arises. Performing system impact and interdependency analysis Periodic system impact analysis should be performed to identify risks posed to critical interdependent systems and interconnected services, with appropriately defined recovery time and recovery point objectives. Smart cities should also have secure data receivers and data storage to collect and store data generated from the ICS and ITS components for analysis, decision making, and incident response management. The stored data should be periodically backed up. As a precautionary measure, data flow from control systems can be channelized using data diodes to prevent data contamination. Smart city councils should devise a component protection strategy to identify critical components of interdependent systems for agile risk analysis. A preliminary system interdependency analysis should be conducted to understand the requirements for information continuity at system interfaces, and to identify the critical components that enable the flow of vital information. This should be followed by a probabilistic interdependency analysis to manage the risks of high fidelity interdependent systems like smart grid, smart health monitoring systems for senior citizens and critical patients, and so on. This analysis can be helpful in enhancing the resilience of critical systems in a smart city. The CPNI Good Practice Guide for Process Control and SCADA Security³ can be used by city councils to ensure security and trustworthiness of the interdependent systems. It provides a framework based on industry best practices for process control and IT security. The framework focuses on seven key themes: 1) Understanding business risks 2) Implementing secure architecture 3) Establishing response capabilities [2] ISO, ISO 22301:2012, accessed November 2015 [3] Good Practice Guide Process Control and SCADA Security, accessed November

8 4) Improving awareness and skills 5) Managing third party risks 6) Engaging projects for security measures in service design 7) Establishing ongoing governance Ensuring citizen compliance Citizens of smart cities are bound to play a crucial role in ensuring the security of interdependent systems from cyber as well as physical security perspectives. Citizens with smart devices are critical points in the cyber system framework, and can be targeted by attackers and hackers to gain entry into the system. This can be done through social engineering, spam s, data streaming, and other malicious methods. To prevent this, smart city councils should develop policies and procedures for establishment, maintenance, and operation of secure smart services. Cyber-awareness programs should be made mandatory for citizens, and penalties levied for non-compliance. Making Smart Cities Safe with Effective Risk Management Understanding and evaluating risks in smart city systems require a pragmatic approach to cyber risk management due to the high level of interconnectedness of smart services and the rapidly evolving nature of constituent systems. With smart cities projected to grow rapidly over the next few years, there is a clear need for smart city councils to focus on mitigating security concerns. Incorporating risk mitigation and developing strong security strategies in the initial planning and service design stages will enable smart city councils to provide safe, secure, and reliable services to its citizens. 8

9 About TCS IT Infrastructure Services Unit Leading organizations across industries work with TCS to realize their business transformation and innovation objectives by enhancing the availability, performance and agility of their IT infrastructure. Leveraging a combination of the cloud, new generation delivery models such as IaaS, PaaS, and SaaS, virtualization, and managed services, our offerings deliver the secure, flexible, and reliable IT infrastructure needed to power critical business applications, services and data. TCS infrastructure offerings encompass data center services, end-user computing (EUC), mobility services, cloud services and transformational solutions, converged network services, managed security services, application management services, enterprise systems management, IT service desk, and IT service management. Backed by our Assess-Build-Manage-Transform framework, extensive partner ecosystem, tools and automation frameworks, and technology Centers of Excellence (CoEs), analytics-led approach, to understand the 'as-is' state, and arrive at the 'to-be' state. As a result, you seamlessly transition from traditional infrastructure management services towards new generation delivery. Contact For more information about TCS IT Infrastructure Services, visit: Subscribe to TCS White Papers TCS.com RSS: Feedburner: About Tata Consultancy Services (TCS) Tata Consultancy Services is an IT services, consulting and business solutions organization that delivers real results to global business, ensuring a level of certainty no other firm can match. TCS offers a consulting-led, integrated portfolio of IT and IT-enabled infrastructure, engineering and TM assurance services. This is delivered through its unique Global Network Delivery Model, recognized as the benchmark of excellence in software development. A part of the Tata Group, India s largest industrial conglomerate, TCS has a global footprint and is listed on the National Stock Exchange and Bombay Stock Exchange in India. For more information, visit us at IT Services Business Solutions Consulting All content / information present here is the exclusive property of Tata Consultancy Services Limited (TCS). The content / information contained here is correct at the time of publishing. No material from here may be copied, modified, reproduced, republished, uploaded, transmitted, posted or distributed in any form without prior written permission from TCS. Unauthorized use of the content / information appearing here may violate copyright, trademark and other applicable laws, and could result in criminal or civil penalties. Copyright 2015 Tata Consultancy Services Limited TCS Design Services I M I 10 I 15

ion IT-as-a-Service Solution "The ion Manufacturing Solution enabled us to control our business more meaningfully, including our field operations. Through the Field Force module, we have updated information

Business Process Services White Paper Improving Efficiency in Business Process Services through User Interface Re-engineering About the Authors Mahesh Kshirsagar Mahesh has a vast experience of about 24

A Point of View Next Generation Electric Utilities Gear up Using Cloud Based Services Abstract Globally, liberalization of the electricity sector has driven a paradigm shift in the ownership structure,

Enterprise-wide Anti-money Laundering and KYC Initiatives A point of view Introduction Every financial institution is charged with the responsibility of developing policies and procedures to combat money

Business Process Services White Paper Improving Regulatory Compliance in the Mortgage Industry About the Author Lovette Patrick D'Souza Lovette Patrick D'Souza has over 10 years of experience in Banking

White Paper Conferencing Agent Enhancing the Communication Experience To achieve corporate operational excellence, the existing resources of an organization must be utilized to the best possible extent.

ion Customer Relationship Management (CRM) Solution How do you command the loyalty of your customers in a competitive market? How do you achieve an increase in sales? To help you answer these questions,

Business Process Services White Paper Leveraging the Internet of Things and Analytics for Smart Energy Management About the Author Akhil Bhardwaj Akhil Bhardwaj is a Senior Manager in the Analytics and

HiTech White Paper A Next Generation Search System for Today's Digital Enterprises About the Author Ajay Parashar Ajay Parashar is a Solution Architect with the HiTech business unit at Tata Consultancy

Business Process Services White Paper Improving Agility in Accounts Receivables with Statistical Prediction and Modeling About the Authors R Rengesh Siva Rengesh Siva has over 14 years of experience in

ion Payroll Solution As organizations strive to improve employee morale, job satisfaction, and productivity, it becomes imperative to regularize the payroll cycles, in order to keep employees motivated.

Simplify your admission process - The ion Way Coordination from TCS employees has helped us lot in implementation of all modules of the ERP. It was helpful to have a person that managed to implement our

Digital Enterprise Unit White Paper Reimagining the Future of Field Service Management with Digital Technologies About the Author Rahul Trisal Rahul is a senior Digital Strategy Consultant with TCS' Digital

A Point of View KYCS - Integrating KYC with Identity: The Future-Ready Marketing Approach Abstract media has empowered us to voice and share our opinion on things that impact our lives. It has reshaped

IT Infrastructure Services White Paper Emerging PaaS Models and Migration to PaaS About the Author Sameer Deshpande Sameer Deshpande has over 15 years of experience in IT, and is a solution architect within

EMC DOCUMENTUM MANAGING DISTRIBUTED ACCESS This white paper describes the various distributed architectures supported by EMC Documentum and the relative merits and demerits of each model. It can be used

BPM Perspectives Positioning and Fitment drivers BPM is a commonly used and much hyped acronym. It popularly stands for Business Process Management but now it achieves much more than just that. Especially

Business Process Services White Paper Predictive Analytics in HR: A Primer About the Authors Tuhin Subhra Dey Tuhin is a member of the Analytics and Insights team at Tata Consultancy Services (TCS), where

Business Process Services White Paper Managing Customer Experience: Strategies for Success About the Author Ashwin Fernandes, Assistant Manager, TCS Ashwin is a practice consultant in the Innovation and

Business Process Services White Paper Strengthening Business Operations with the Digital Five Forces About the Author Mahesh Kshirsagar Mahesh Kshirsagar heads Technology Transformation in the Business

White Paper The four windows of organizational change in training for ERP transformation Managing users apprehension to change has always been a challenge for large scale ERP implementations. Moving the

A Point of View Dodd Frank Act: Partner your way to Compliance With the passage of the Dodd Frank Act, banks and financial institutions are grappling with a highly restrictive environment and burgeoning

A Point of View Seven Strategic Imperatives for Transitioning to a Shared Services Model Abstract Given today s tough business climate, organizations are adopting a shared services model to realize cost

Business Process Services White Paper Business Intelligence in Finance & Accounting: Foundation for an Agile Enterprise About the Author Balaji Venkat Chellam Iyer Balaji has over 18 years of experience

Implement Business Process Management to realize Cost Savings and High Return on Investments Business Process Management (BPM) was unheard of just a few years ago, but it has burst onto the global scene

Business Process Services White Paper Five Principles to Consider when Consolidating your Finance and Accounting Function About the Authors Vikas Golchha, Associate Vice President, TCS Vikas is part of

Digital Enterprise White Paper Multi-Channel Strategies that Deliver Results with the Right Marketing Model About the Authors Vishal Machewad Head Marketing Services Practice Vishal Machewad has over 13

Lead the Retail Revolution. The retail industry is at the center of a dramatic shift in the way consumers shop and interact with their retailers. After hundreds of years of customers going to the store,

Securities Trading The adoption of technology is rapidly changing the dynamics of the brokerage industry. The increasing use of smartphones and tablets represent a transformation in the way in which investors

Business Process Services White Paper Providing Customer Service the Social Way About the Author Awani Sarogi Awani is a subject matter expert in digital media, developing digital media solutions and offerings

A Point of View Redefining Agile to Realize Continuous Business Value Abstract As enterprises look to move the needle on their business in an intensely competitive market, they expect superior performance

Whitepaper Bridging the IT Business Gap The Role of an Enterprise Architect Today s enterprises understand the value that Information Technology (IT) can bring to their business. IT supports day-to-day

Cyber Security Automation of energy systems provides attack surfaces that previously did not exist Cyber attacks have matured from teenage hackers to organized crime to nation states Centralized control

Cyber Security solutions The scenario IT security has become a highly critical issue for all businesses as a result of the growing pervasiveness and diffusion of ICT technology. Risks can arise both inside

Backward Scheduling An effective way of scheduling Warehouse activities Traditionally, scheduling algorithms were used in capital intensive production processes where there was a need to optimize the production

What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage

White Paper Data Visualization in Ext Js 3.4 Ext JS is a client-side javascript framework for rapid development of cross-browser interactive Web applications using techniques such as Ajax, DHTML and DOM

Business Process Services White Paper Achieving Business Excellence: Utilities Embracing Analytics for Effective Decision Making About the Author Swaminathan Subramanian Swaminathan has over 17 years of

Data Loss Prevention Program Safeguarding Intellectual Property Author: Powell Hamilton Senior Managing Consultant Foundstone Professional Services One of the major challenges for today s IT security professional

Insurance The financial crisis of 2008 and the subsequent recovery process, though tepid, has altered the insurance industry landscape significantly. Today, the focus is on enhancing efficiencies and controlling

Business Process Automation, the ion way to Profits TCS low cost web-based solution, ion is similar to the Tata NANO concept. It significantly reduces IT costs & maintenance viz. no software to install,

Call to Action on Smart Sustainable Cities 1. Introduction Achieving sustainable urbanization, along with the preservation of our planet, has been recognized as one of the major challenges of our society

Five keys to a more secure data environment A holistic approach to data infrastructure security Compliance professionals know better than anyone how compromised data can lead to financial and reputational

Securities Processing Several challenges in the global securities market including new regulations, the pressure to reduce cost and minimize risk along with the mounting need for transparency, are forcing

A Point of View Omni-Channel Banking Customer Experience: Forget What You Thought You Knew about Channels In social media, customers discuss their experience across ALL your interaction channels, which

Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to

Innovation Labs White Paper Unlocking the Value of the Internet of Things (IoT) A Platform Approach About the Author(s) Prateep Misra Research Area Manager, TCS Innovation Labs Prateep leads the development

White Paper BI Today and Tomorrow BI has been one of the most important business initiatives providing positive impact on the health of organizations. Usually, questions are raised on the maturity of the